Why Data Discovery is Essential for PCI DSS Compliance

Companies are producing and processing data in massive volumes. This data is then scattered across a multitude of environments, such as on-premise infrastructure, SaaS applications, or across multi-cloud IaaS platforms. Apart from a company’s regulated environment on-premises, a significant part of data also exists across unregistered devices such as smartphones, emails, etc. This ultimately results in data sprawl, which in turn leads to a lack of visibility into personal information (PI) as well as sensitive data.

When companies deal with PI and sensitive data, such as customers’ financial information, it requires optimal protection against cyber security threats as well as strict compliance with privacy laws and industry standards, such as Payment Card Industry Data Security Standard (PCI DSS). Weak data protection strategies may lead to security breaches, which could be very harmful to the customers - leading to ID thefts, increased risk of fraud, and even harm to the reputation of the enterprises.

In some cases, customers may even sue an organization for its security failures and this could lead to massive financial damage and loss of consumer trust. In the case of payment processing services, a company might even lose important channels of business altogether. For example, not being able to protect cardholders’ data as per the PCI DSS standard may lead to prohibitions from processing further payments through credit and debit cards.

PCI DSS Compliance and Its Data Security Requirements

While most data privacy protection laws provide coverage for a broad range of personal data attributes, the PCI DSS governs only payment card processing-related attributes, mandating them to ensure the security of stored sensitive data resulting from payment card transactions.

When companies process payment card transactions, two types of sensitive data are generated: authentication data and non-authentication data. The authentication data is prohibited to be stored, as per PCI DSS regulations, and needs to be erased from every storage system immediately. This type of data includes Card Verification Value (CVV), Primary Account Number (PAN), and Personal Identification Number (PIN).

The non-authentication data includes the cardholder’s name, card expiration date, and service code. PCI DSS regulations allow the storage and processing of non-authentication data as long as it is protected and the organization’s information security standards in relation to this data comply with its policies.

12 PCI Data Security Requirements

PCI DSS mandates all sellers or payment card processing services ensure the safe and secure collection, transmission, and processing of cardholders’ data. PCI DSS has laid down 12 requirements, which are grouped under 6 goals. Every payment card processing service must comply with the defined security requirements:

Build and Maintain a Secure Network

• Payment card processing services and merchants are required to ensure strict security measures by setting up firewalls. Firewalls are the first line of defense against unauthorized incoming and outgoing traffic on a network. By setting up rules and policies, firewall configuration can be hardened for improved data security.
• PCI DSS further mandates that default security configurations shouldn't be left unattended and should be modified on existing and new systems. The regulatory authority further requires merchants and service providers to maintain a record of all systems and configurations.

Protect Cardholder Data

• Merchants and sellers are required to ensure optimal protection of cardholders’ data. This can be achieved by locating where the data resides and determining whether it needs to be truncated, encrypted, hashed, or erased altogether.
• Apart from ensuring the protection of data at rest, it is integral that merchants and service providers should encrypt the data when it is in transit. Whenever a cardholder’s data moves across any public or open networks, it needs to be encrypted via encryption standards, such as SSH and TLS, to name a few.

Maintain a Vulnerability Management Program

• All systems, both on-premises and remote, need to have an antivirus or an anti-malware application installed. These applications further need to be kept up to date with the latest virus definition so the systems and the residing data of cardholders stay protected against known and new virus threats.
• Merchants and service providers need to develop and maintain a security system that regularly scans and protects against security vulnerabilities. It is critical that all systems, such as POS terminals, computers, or routers, have the latest security patches installed.

Implement Strong Access Control Measures

• A strict access control system should be maintained to ensure that the cardholders’ data is accessible to users on a need-to-know basis. Access control allows system administrators to reduce the chances of unauthorized access to cardholders’ sensitive information. This further requires the concerned entities to maintain a record of each person, their role, and access privileges.
• The same requirement further mandates that the system administrators must assign unique IDs and passwords to users with access to sensitive information. This allows administrators to maintain a strict record of all activities and trace any abnormality or security breach.
• PCI DSS requires merchants and service providers to restrict users’ physical access to sensitive data. This can be done by ensuring physical access control practices, such as keeping logs, using CCTV surveillance, etc.

Regularly Monitor and Test Networks

• This PCI DSS data security requirement warrants strict service providers and merchants to have an audit policy and to maintain system logs. This will allow the information security teams to effectively monitor the logs for any suspicious activities.
• The requirement further requires frequent monitoring of systems and tests for security vulnerabilities and exploits.

Maintain an Information Security Policy

• The final requirement mandates that the merchants and service providers must establish and implement security policies for every employee, vendor, and contractor. This calls for background checks on personnel, regular risk assessments, etc.

The Need of Effective Data Discovery for PCI DSS Compliance

PCI DSS regulations require that the sensitive data of a cardholder which is collected, stored, and processed by the organization during and after a transaction, must be protected at all times. In order for organizations to comply with PCI DSS regulations, they must meet the established data security requirements, as discussed above.

In summary, the security requirements boil down to the following:

• Access control
• Security posture/assessment
• Encryption or alternate security implementation
• Vulnerability assessment

Assurance of these security requirements is only possible when the merchant or the service provider knows where cardholder data resides in its systems, and this is especially a problem due to data sprawl. For example, when data is accessed or used by multiple processes, it tends to spread to other systems. Apart from residing in the data assets in a known environment, a cardholder’s data may make its way to other devices inadvertently, such as a smartphone, personal laptop, or a BYOD machine due to the aforementioned data sprawl. Such data sprawl or leak is possible due to the cross-platform auto-synchronization.

Therefore, to ‘discover’ in which data systems customers’ cardholder data is stored, organizations must devise a method to scan data within their data systems to determine which of them falls within the definition of cardholder data or not and which of them is more sensitive than the other.

This is where PCI DSS card data discovery comes into play.

Data discovery starts with the identification of data assets across the network. It creates visibility into data assets by first gathering and building a catalog of all cloud-native and non-native data assets that could be across SaaS applications, IaaS data stores across multiple cloud providers, or on-premises. Effective data discovery systems allow identification of critical information, such as cardholder’s name, card expiration date, and other details in structured forms (tables and columns) or unstructured forms (spreadsheets, emails, etc).

Once the data assets are mapped and cataloged, the next step is to discover and classify the data within assets or object stores. Data classification helps categorize data as per its sensitivity or security risk. As a result, teams can determine the types of security measures that need to be implemented.

It’s only after an effective data discovery mechanism that the organization can assess the security posture of that database and the vulnerabilities that it may have. This provides a reliable basis for which the organization can implement security measures and other risk mitigations to ensure it remains protected.

Important Data Discovery Considerations for PCI Compliance

Before starting the PCI DSS card data discovery process, it is vital to define the scope of cardholder data (CHD) discovery and classification. Seller and service providers can attempt to define an accurate scope by taking into account the following important considerations:

• Data discovery requires scanning of data across all the data assets and object stores. Organizations shouldn’t limit their card discovery scan to their card data environment (CDE). There are many ways through which card data can make its way out of the existing or pre-defined CDE. Therefore, it is vital for the service provider to conduct organization-wide data discovery.
• Apart from taking an organization-wide scan, the discovery process should cover all the devices, platforms, and operating systems where the data may exist. Ruling out any device or platform may result in exposure to security risks.
• Another important factor to consider is the file type and format. A cardholder’s data could exist in any format or type. The data discovery process should be able to recognize and classify every type of format so that no data remains undetected, and thus, exposed.
• A cardholder’s sensitive data can exist anywhere in structured and unstructured systems. It is because of that, there’s a high chance that the discovery tool may result in False Positives. The false-positive refers to the data that incorrectly matches with the data that the tool is searching for.
• If a cardholder’s data is breached, the organization might have to provide notification to the cardholder as per applicable data breach notification laws and might even have to offer risk mitigation services (ID theft insurance, etc.). Thus the data discovery tool should be able to link cardholder’s data back to the cardholder’s identity, using auto PI linking and sensitive data intelligence, to ease reporting requirements.

Sellers and service providers should use the right data discovery tool that can integrate natively with their card data environment and the cloud data assets. The tool should also offer a deep discovery feature that can scan and discover different personal and sensitive data attributes, use Machine Learning, AI, and contextual analysis to reduce false positives, identify security and privacy metadata within the data, and classify the risk posed by the data.

All in all, the data discovery tool should give detailed insights into the data type, its sensitivity level, security posture, and compliance.

Securiti Data Discovery Finds Personal and Sensitive Data Across SaaS, Hybrid, and Multi-Cloud

Securiti offers an AI-powered robotic data discovery tool, built to scan data in structured and unstructured systems across an organization’s dynamic environment. Along with sensitive data intelligence and Personal Information auto-linking, Securiti’s data discovery tool discovers Personal Information within structured or unstructured databases, identifies the type of data, appends its security, and privacy metadata, scores it according to the risk it poses, and auto-links it to the data subject’s ID. Thus, with our Data Discovery tool, organizations can:

• Discover and catalog cardholder data (CHD) in their data assets, which is spread across their dynamic environments, under one roof.
• Use native connectors to integrate with data assets for efficient cardholder data discovery.
• Remove false positives using contextual inference that assesses detections.
• Label predefined attributes to discovered cardholder data.
• Identify authentication and non-authentication data attributes for PCI regulatory compliance.
• Link card data to relevant cardholders for compliance with breach notification, consent management, and other applicable data privacy obligations.
• Assess the security posture of the assessed cardholder data to recommend security measures.
• Govern access control to cardholders’ data from a single dashboard.

See our Demo to watch our Data Discovery solution in action.